TLS: switch ssl_protocols to a comma separated list
This commit is contained in:
parent
c126f81d9a
commit
849c1a22a2
@ -145,7 +145,7 @@ Negotiate these security methods with clients.
|
|||||||
|
|
||||||
.TP
|
.TP
|
||||||
\fBssl_protocols\fP=\fI[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]\fP
|
\fBssl_protocols\fP=\fI[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]\fP
|
||||||
Enables the specified SSL/TLS protocols. Each value should be separated by space.
|
Enables the specified SSL/TLS protocols. Each value should be separated by comma.
|
||||||
SSLv2 is always disabled. At least one protocol should be given to accept TLS connections.
|
SSLv2 is always disabled. At least one protocol should be given to accept TLS connections.
|
||||||
This parameter is effective only if \fBsecurity_layer\fP is set to \fBtls\fP or \fBnegotiate\fP.
|
This parameter is effective only if \fBsecurity_layer\fP is set to \fBtls\fP or \fBnegotiate\fP.
|
||||||
|
|
||||||
|
@ -45,6 +45,7 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
|
|||||||
char *item = (char *)NULL;
|
char *item = (char *)NULL;
|
||||||
char *value = (char *)NULL;
|
char *value = (char *)NULL;
|
||||||
char cfg_file[256];
|
char cfg_file[256];
|
||||||
|
char *p = (char *)NULL;
|
||||||
char *tmp = (char *)NULL;
|
char *tmp = (char *)NULL;
|
||||||
int tmp_length = 0;
|
int tmp_length = 0;
|
||||||
|
|
||||||
@ -165,31 +166,36 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
|
|||||||
}
|
}
|
||||||
else if (g_strcasecmp(item, "ssl_protocols") == 0)
|
else if (g_strcasecmp(item, "ssl_protocols") == 0)
|
||||||
{
|
{
|
||||||
/* put leading/trailing space to properly detect "TLSv1" without regex */
|
/* put leading/trailing comma to properly detect "TLSv1" without regex */
|
||||||
tmp_length = g_strlen(value) + 3;
|
tmp_length = g_strlen(value) + 3;
|
||||||
tmp = g_new(char, tmp_length);
|
tmp = g_new(char, tmp_length);
|
||||||
g_snprintf(tmp, tmp_length, "%s%s%s", " ", value, " ");
|
g_snprintf(tmp, tmp_length, "%s%s%s", ",", value, ",");
|
||||||
|
/* to accept space after comma */
|
||||||
|
while ((p = (char *) g_strchr(tmp, ' ')) != NULL)
|
||||||
|
{
|
||||||
|
*p = ',';
|
||||||
|
}
|
||||||
|
|
||||||
/* disable all protocols first, enable later */
|
/* disable all protocols first, enable later */
|
||||||
client_info->ssl_protocols =
|
client_info->ssl_protocols =
|
||||||
SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
|
SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
|
||||||
|
|
||||||
if (g_pos(tmp, " TLSv1.2 ") >= 0)
|
if (g_pos(tmp, ",TLSv1.2,") >= 0)
|
||||||
{
|
{
|
||||||
log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled");
|
log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled");
|
||||||
client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_2;
|
client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_2;
|
||||||
}
|
}
|
||||||
if (g_pos(tmp, " TLSv1.1 ") >= 0)
|
if (g_pos(tmp, ",TLSv1.1,") >= 0)
|
||||||
{
|
{
|
||||||
log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled");
|
log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled");
|
||||||
client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_1;
|
client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_1;
|
||||||
}
|
}
|
||||||
if (g_pos(tmp, " TLSv1 ") >= 0)
|
if (g_pos(tmp, ",TLSv1,") >= 0)
|
||||||
{
|
{
|
||||||
log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled");
|
log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled");
|
||||||
client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1;
|
client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1;
|
||||||
}
|
}
|
||||||
if (g_pos(tmp, " SSLv3 ") >= 0)
|
if (g_pos(tmp, ",SSLv3,") >= 0)
|
||||||
{
|
{
|
||||||
log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled");
|
log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled");
|
||||||
client_info->ssl_protocols &= ~SSL_OP_NO_SSLv3;
|
client_info->ssl_protocols &= ~SSL_OP_NO_SSLv3;
|
||||||
|
@ -26,8 +26,8 @@ crypt_level=high
|
|||||||
certificate=
|
certificate=
|
||||||
key_file=
|
key_file=
|
||||||
; set SSL protocols
|
; set SSL protocols
|
||||||
; can be space separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2'
|
; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2'
|
||||||
ssl_protocols=TLSv1 TLSv1.1 TLSv1.2
|
ssl_protocols=TLSv1, TLSv1.1, TLSv1.2
|
||||||
; set TLS cipher suites (up to 63 characters)
|
; set TLS cipher suites (up to 63 characters)
|
||||||
#tls_ciphers=HIGH
|
#tls_ciphers=HIGH
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user